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This is a continuation-is part of U. S. Patent Application Sen No. 09/140,453, filed 
August 26, 1998. 

FI ELD AND BACKGROUND 

The present invention is of a method and a system for the management of 

communication serious for computer network-based telephone communication, and in 
15 particular for the identification of packets containing audio and/or video data, for the 

storage of these packets, and for the reconstruction of selected communication sessions 

for audio end/ or video display as needed. 

Tfos integration of the computer into office communication systems has enabled 

many functions previously performed by separate devices to be combined into a single 
20 management system operated through a computer. For example, computer-based voice 

logging systems enable a computer to receive voice communication through a hardware 

connection tc the regular telephony network, to record cither a conversation, in which at 

least two parties converse, or a message from at least one party to one or more parties, 

and to replay these recorded conversations or messages upon request. These voice 
23 logging systems can replace mechanical telephone answering machines. 

The computer logging systems have many advantage$ over the mechanical 

answering machines. For example, the voice messages can be stored in a computer- 
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based storage medium, such as a DAT cassette, which has a greater storage capacity 
than regul ir audio cassettes. Furthermore, the stored voice messages can be organized 
in a database, such that the messages can retrieved according to time, date, channel, 
dialed number or caller identification,, for example. Such organization is not possible 

5 with a mechanical telephone answering machine, Thus, computer logging systems for 
vuice messages have many advantages ovct mechanical answering machines, 

Un fortunately, currently available computer logging systems have the 
disadvantage of being unable to record telephone communication sessions, whether 
conversations or messages, for voice communication being perforated through a LAN 

io (local area network) or a WAN (wide area network). Although these logging systems 
can play back voice messages to a remote user through a LAN„ for example, they 
cannot record such a message if it is transmitted by a LAN-based telephone. Such LAN 
and WAX based telephone communication has become more popular recently, since it 
enables telephone communication to be performed between various parties at physically 

15 separated sites without paying for local regular telephony network services, thereby 
saving money. 

Furthermore, LAN and WAN based telephone communication also facilitates 
the transmission of video as well as audio information. Video information certainly 
cannot be recorded by currently available computer logging systems. Thus, the inability 
20 of computer logging systems to record telephone communication sessions for telephone 
communication being performed through a LAN or a WAN, including both video and 
audio data, is a significant disadvantage of these systems. 

There is therefore a need for, and it would be highly advantageous to have, a 
system and a method for recording telephone communication sessions performed over a 



19/09 ' 0U 12:33 ©972 3 5625554 



DR. M t FRIEDMAN 



6 oijj. 



3 

computer network, such as a LAN or a WAN, which would reeord both audio and video 
inlbnnatian, organize such information, and then display such information upon 
request. 

The switching industry is moving towards the TP world. This move is having a 
5 huge impact on the telecommunications industry. It is too early to understand the full 
impact of this move. 

The IP multimedia initiative got its momentum vyhen the Internationa] 
Tdecommunications Union published the H.323 standard ensuring compatibility 
between switching product from different vendors, The H3?3 standard provides a 
10 foundation for audio, video and data communication across IP-based networks 
including ihe Internet. 

Most of the main switching vendors such as Lucent, Siemens, Nortel and 
Alcatel ha/e decided to integrate IP into then- current switching platforms. Veiy soon, 
these vendors will present the market with new switch platforms based on IP 
15 technology. 

All current recording solutions are based on the fact that a PBX Or a central 
office utilizes a central switching matrix, with all calls being routed via this central 
matrix. Integration with this matrix insures that all calls routed by the PBX or central 
office could be recorded by a digital recording system that has a connection to the 
20 switch malrix. This, however, is inconsistent with the IP environment, which is 
inherently decentralized. 

There is therefore n need for, and it would be highly advantageous to have, a 
system and a method for recording telephone communication sessions performed over a 
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computer network, such as a LAN or a WAN, that would be independent of a central 
switching matrix - 

SUMMARY QF THE IN VENTION 

It is one object of the piesciit invention to provide a system and a method for 
recording communication sessions performed over a computer network, 

Ix is another object of the present invention to provide such a system and meLhod 
for analyzing data transmitted over the computer network in order to detect audio and 
video data for recording. 

It is siill Mother object of the present invention to provide such a system and 
method for displaying recorded video and audio data upon request 

1 1 is yet another object of the present invention to provide such a system and 
method for analyzing, recording and displaying communication sessions conducted 
with a LAN-based telephone system, 

These and other objects of the present invention are explained in farther detail 
with ieg£xd to the drawings, description and claims provided beiow. 

The present invention provides a system and a method for analyzing data 
packets on a computer network, for selectively recording audio and video data packets, 
for organizing this stored information and for displaying the stored information upon 
request, such that communication sessions with computer network-based "telephone" 
systems can be logged. 

According to the teachings of the present invention, there is provided a system 
for managing a communication session over a computer network the system 
comprising: fa) a network connector for connecting to the computer network and for 
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receiving date packets from the computer network; (b) a filtering unit for filtering the 
data packets and far accepting the data packets substantially only if the data packets 
contain data selected from the group consisting of audio data and video data, such that 
the data packets form at least a portion of the communication session and $uch that the 

5 data packets are selected data packets, (c) a management unit for receiving the selected 
data packets and for storing the selected data packets, such that the selected data 
packets ^re stored data packets; and (d) a storage medium for receiving and for storing 
ihe stored data packets from the management unit, such that the at ieast a portion of the 
communication session is stored. 

io Preferably, the system further comprises (e) a data restore unit for retrieving and 

displaying the at leasi a portion of the communication session, the data restore unit 
requesting the data packets from the storage medium through the management unit, and 
the data restore unit reconstructing the data packets for displaying the at least a portion 
of the communication session, 

25 More preferably, the data restore rait Further comprises a communication 

session tlisplay unit for displaying the at least a portion of the communication session. 
Most preferably, the conraunicaifon session display unit is selected from the group 
consisting of a video unit and an audio unit. 

According to preferred embodiments of the present invention, the system further 

20 comprise (1) a database connected to the filtering unit for storing filtering information, 
the filtering information including at least one TP address of a party whose 
communication sessions are monitored: wherein the filtering unit accepts the data 
packets according to the filtering information, such that the filtering unit substantially 
only accepts the data packets if the data packets fulfill the filtering information. 
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Prelerably, the system further comprises (g) a user computer for receiving at 
least one command of a user and for displaying information, to the user, such that the 
nser determines the .filtering information according to the at least one command of the 
user. 

5 More preferably, the computer network is selected from the group consisting of 

a LAN (local area network) and a WAN (wide area network). Most preferably, the 
computer network is a LAN (local area network). 

According to father preferred embodiments of the present invention, the LAN 
is divided into at least two segments, the system further comprising: (h) a loca) 

10 management unit for each segment, the local management unit including the filtering 
unit and the management unit; and (i) a central management unit for controlling the 
local management units, the central management unit controlling storage in the storage 
medium 

Preferably, the network connector is a network interface card- 
15 According ro another embodiment of the present invention, there is provided a 

method for storing at least a portion of a communication session performed on a 
computer network, the communication session being performed between a packet 
source and a packet destination, the steps of the method being performed by a data 
processor, the method comprising the steps of: (a) receiving a data packet from the 
20 packet source on the computer network; (b) analyzing the data packet to determine if 
the dat* packet is an IP packet: (c) if the data packet is the IP packet, filtering the IP 
packet to determine a rype of the IP packet: and (d) stormg the IP packet to form a 
stored data packet according to the type, such that the stored data packet forms at least a 
portion of the cormmmication session. Preferably, the Step of analyzing the data packet 
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Is performed by examining a header of the data packet, 

According to a preferred embodiment of the present invention, the stsp of 
filtering tie IP packet is performed by examining the header of the IP packet. 

Preferably, the step of filtering the TP packet further comprises the steps of: (i) 
5 examining (he header of the IP packet to determine an IP address of the packet source; 
(ii) determining if the IP address is a recorded IP address: (iii) passing the IP packet to 
form a passed TP packet substantially only if the IP address is the recorded IP address; 
and (iv) alternatively, dumping the IP packet. 

More preferably, ihe step of determining if the IP address is the recorded IP 
ID address is performed by comparing the IP address to a list of IP addresses from packet 
sources, such that if the IP address is included in the list the IP address is the recorded 
IP address. 

Ai:;o preferably, the step of filtering the TP packet further comprises the steps of: 
fv) determining whether the passed IP packet is an H.225 packet, a R245 packet mJ 
15 RIP packet or an RTCP packet; (vi) if ihe type of the passed IP packet is the H.225 
packet determining whether the H.225 packet is a setup packet or a connect packet: 
(vii) if the B225 packet is the setup packet, setting a status flag as "start session 
request"; (viii) alternatively, if the H.225 packet is the connect packet and the status 
flag is ' start session request", storing at least one detail of the communication session; 
20 and (ix) siting the status flag as "wait for logic channel". 

More preferably, the step of filtering the IP packet further comprises the steps 
of: (x) alternatively, if the type of the passed IP packet is the EL245 packet, determining 
whether the H 245 packet is an open logical channel request packet, an open logical 
channel acknowledgment packet cr a terminal capability set packet; (x\) if the H.245 
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packei is he open logical channel request packet and the status flag is ■'wait Pot logic 
channel", setting the status flag as ^wait for acknowledgment 77 ; (xii) alternatively, if the 
R245 packet h the open logical channel acknowledgment packet and the status flag is 
'wait for acknowledgment^ performing Lhe steps of: (A) setting the states flag as "wait 
5 for terminal capability*'; and (B) saving a transport address of the destination of the 
communication session; and fxiii) also alternatively, if the HL245 packet is the terminal 
capability set packet, performing the steps of: (A) storing a capability of the packet 
destination from the terminal capability packet; and (B) setting the status flag as "in call 
process". 

10 Most preferably, if the status flag is "in call process" and the type of the passed 

IP packet i& the RTP packet, the RTF packei is stored. Also mo$t preferably, if the 

status flag is "in call process" and the type of the passed IP packet is the RTCP packet, 

the RTCP packet is stored. 

According to another preferred embodiment of the present invention, the 
15 method futher comprises Lhe steps of: (e) retrieving the stored data packet to form a 

retrieved cata packet; and (I) reconstructing at least a portion of the communication 

session acc ording to the retrieved data packet. 

Preferably, the step of retrieving the data packet includes the $teps of; (i) 

receiving e source IP address of the packet source, a start time of the commnnication 
2o session, and an end time of the communication session; and fii) selecting at least one 

communi cation session according to the source IP address, the start time and the end 

lime. 

Also preferably, the step of reconstructing at least a portion of the 
communication session includes displaying audio data. 
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Alternatively and also preferably, the step of reconstructing at least a portion of 
the cojumutiicatior. session includes displaying video data, 

More preferably, The step of reconstructing at least a portion of the 
communication session further comprises the steps of: (i) retrieving substantially only 
5 RTF packets; (n) examining a header of the RTP packets to detemune a time stamp for 
each of the RTP packets; and (in) displaying the RTP packets in an order according to 
the time stamp. 

According to the teachings of fee present invention, there is provided a system 
for managing a connnunication session over a computer network that includes a 

10 gatekeeper, the system comprising: (a) a network connector for connecting to the 
computer networik and for receiving data packets from the computer network: (b) a 
filtering unit for filtering the data packets and for accepting the data packets 
substantia iy only if the date packets contain data selected from the group consisting of 
audio d&ttL and video data, such that the data packets form at least a portion of the 

15 communication session and such that the data packets are selected data packets; (c) a 
management unit for receiving the selected data packets and for storing the selected 
dsta packets, such that the selected data packets are stored data packets; (d) a storage 
medium for receiving and for storing the stored data packets from the management unil s 
buch that .he at least a portion of the communication session is stored; and (e) a link, 

20 between the gatekeeper and the management unit, for transferring information related to 
the data packets from the gatekeeper to the management unit. 

Preferably, the system further comprises (f) a data restore unit for retrieving and 
displaying the at least a portion of the communication session, the data restore unit 
requesting the data packets from the storage medium through the management unit, and 
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the data restore unit reconstructing the data packets for displaying the at least a portion 

of the communication session. 

More preferably, the data restore unit further comprises a communication 

session display unit for displaying the at least a portion of the communication session. 
5 Most preferably, the communication session display unit is selected from the group 

consisting cf a video unit and an audio unit. 

According to preferred embodiments of the present invention, the system further 

comprises (g) a database connected to the filtering unit for storing filtering information, 

the filtering information including at least one TP address of a party whose 
iO communication sessions are monitored; wherein the filtering unit accepts the data 

packets according to the filtering information, such that the filtering unit substantially 

only accepts the data packets if the data packets fulfill the filtering information. 

Preferably, the system further comprises (h) a user computer for receiving at 

least one command of a user and for displaying information to the user., such that the 
is user determines the filtering information according io the at least one command of the 

user. 

More preferably, the computer network is selected from the group consisting of 
s LAN (local area network) and a WAN (wide area network). Most preferably, the 
computer network is a LAN (local area network)- 
io According to further preferred embodiments of the present invention, the LAN 

is divided into at least two segments, the system further comprising: (i) a local 
management unit for each segment, the local management unit including the Filtering 
vnh and the management unit; and (j) a central management unit for controlling the 
local management units, the cental management unit controlling storage in the storage 



19/09 ' nil 12:37 ^972 3 5625554 



DR. H. FRIEDMAN 



n 

medium 

P/eferably, the network connector is a network interface card. 
According to another embodiment of the present invention, there is provided a 
method for conducting a communication session on a computer network between a 
5 packet source arid a packet destination, comprising the steps of: (a) setting, up the 
communication session according to a first protocol suite; and (b) storing at least a 
portion of the communication session according to a second protocol suite different 
from the first protocol suite, the storing being performed by a data processor. For 
example, the second protocol suite may be an IP protocol suite. 
10 Pieffcrabry, ihe storing of the portion of the communication session is performed 

by steps including: (i) receiving a data packet from the packet source on the computer 
network; (n) analyzing the data packet to determine if the data packet is in accordance 
with the second protocol suite; and (Hi) storing the data packet to form a stored data 
packet, such that the stored data packet forms at least a portion of the commnnication 
is session. Preferably, the step of analyzing the data packet is effected by examining a 
header of the data packet. 

According to another preferred embodiment of the present invention, the step of 
storing tfo at least a portion of the communication session further comprises the step 
of: (iv) subsequent to the analyzing, if the data packet is in accordance with the second 
20 protocol suite, filtering the data packet to determine a type of the data packet. 
Pieferably, the step of analyzing the data packet is performed by examining a header of 
the dsta packet f and the step of filtering the data packet is performed by examining the 
header of the data packet. 

Preferably, the second protocol suite is an IP protocol suite, the data packet is an 
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IP packer and the step of filtering the IP packet further comprises the steps of: (i) 
examining the header of 'the IP packet to determine an IP address of the packet source; 

deteimming if the IP address is a recorded IP address; (iii) passing the IP packet to 
form a passed IF packet substantially only if the IP address is the recorded IP address; 
5 and (iv) ilternativelv. dumping the IP packet. 

More preferably, the step of determining if the IP address is the recorded IP 
address is performed by comparing the IP address to a list of IP addresses from packet 
sources, such that if the IP address is included in the list, the IP address is the recorded 
IP address. 

10 Most preferably, if the passed IP packet is an RTF packet, the RTP packet is 

stored, Also most preferably, if the passed IP packet is an RTCP packet, the RTCP 

packet is stored, 

P referably, the storing of the data packet is effected according to the type of the 
data pack et. 

15 According to another preferred embodiment of the present invention, the step of 

storing the at least a portion of the communication session further comprises the steps 
of; (iv) retrieving the stored data packet to form a retrieved data packei; mid (v) 
reconstructing at least a portion of the communication session according to the retrieved 
data packet. 

20 Preferably, the second protocol suite is an IP protocol snite, and the step of 

retrieving the data packet includes the steps of: (A) receiving a source IP address of the 
packet scarce* a start time of the communication session, and an end lime of the 
communication session; and (B) selecting at least one communication session according 
to the source IP address, the start time and the end time. 



in w 
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Also preferably, ihe step of reconstructing at least a portion of the 
communication session includes displaying audio data. 

Alternatively and also preferably, the step of reconstructing at bast a portion of 
the communication session includes displaying video data. 
5 More preferably, the step of reconstructing at least a portion of the 

communication session further comprises the steps of; (A) retrieving substantially only 
RTF packets; (B) examining a header of the RTP packets to determine a time stamp for 
each of the RTF packets; and (C) displaying the RTP packets in an order according to 
ilie time stamp. 

10 Hereinafter, the term "communication session" includes both a conversation, in 

which at least two parties converse by exchanging audio and/or video Information in 
"real time", and a message, in which at least one party records such audio and/or video 
iuformaticn for reception by at least one other party at a later dare. 

Hereinafter, the term "Internet" is used to generally designate the global, linked 

1 5 web of thousands of networks which is used to connect computers all over the world. 
As used herein, the term Afc intranet"' includes other types of computer networks, such as 
LAN (local area networks) or WAN (wide area networks). The term "computer 
network 7 ' includes any connection between at least two computers which permits the 
transmission of data T including both Internet and intranet The term "regular telephony 

io network" includes FQTS (plain old telephone system) and substantially any other type 
of telephone network which provides services through a regular telephone services 
provider, but which specifically excludes audio and/or video communication performed 
through an}' type of computer network, 
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Hereinafter, the term "computer" includes, but is not limited to, personal 
computer (PC) having an operating system such as DOS, Windows™. OS/2™ or 
Linux; Mackintosh™ computers; computers having JAVA™-OS as the operating 
system; znd graphical workstations such as the computers of Sun Microsystems ™ and 
o Silicon Crraphics™ and other computers having some version of the UNIX operating 
system such as ATX or SOLARIS™ of Sim Microsystems™; or any other known and 
available operating system. Hereinafter the term "Windows™" includes but is not 
limited to Windows95™, Windows 3.x™ In which "x" is an integer such as "1", 
Windows NT™*, Windows98™, Windows CE™ and any upgraded versions of these 
io operating systems by Microsoft Inc. (Seattle, Washington . USA), 

Hereinafter, the term "logging* refers to the process of analyzing data packets 
on a network to locate audio and/or video data, and of recording such data in an 
organized system. Hereinafter, the term "display" includes both the visual display of 
video dats, and the production of sound for audio data. 

15 

BBJEEja aCRlPTTON OiF THE DRAWINGS 

Th- invention is herein described, by way of example only, with reference to the 
accompanying drawings, wherein: 

FIG. 1 is a schematic block diagram of an exemplary communication session 
20 monitoring, system according to the present invention; 

FKk 2 is a schematic block diagram of the software modules required for 
operating tie system of Figure 1; 

FIGS, 3A-3D are flowcharts of exemplary filtering and recording methods 
according to the present invention; 
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F[GS. 4A-4D are schematic block diagrams showing the headers of H.225 
i Figure 4A), H 245 (Figure 4B) 3 RTP (Figure 4C) and RTCP (Figure 4D) packets, as 
they relate to the present invention; 

FIG. 5 is a flowchart of an exemplary communication session playback method 
5 according to the present invention; 

FIG. 6 is 3 schematic block diagram of an exemplary first embodiment of a 
basic system using the communication session monitoring system of Figures 1 and 2 
according to the present invention; and 

Fit j. 7 is a schematic block diagram of an exemplary second embodiment of a 
] o zone system according to the present invention; 

FIG. S is a schematic block diagram of an exemplary passive recording system 
according to another embodiment of the present invention. 



DESCRIPTION OF BACKGROUND ART 

15 The, following description is intended to provide a description of certain 

background methods and technologies which are optionally used in the method and 
system of the present invention. The present invention is specifically not drawn to 
these methods and technologies alone. Rather, they are used as tools to accomplish the 
goal cf the present invention, which is a system and a method for analyzing data 

20 packets on a computer network, for selectively recording audio and video data packets, 
for organizing this stored Moxination and for displaying the stored information upon 
request, sik.1i thai communication sessions with computer network-based "telephone" 
systems can be logged. 
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Fhe system and method of the present invention is particularly intended For 
operation with computer networks constructed according to the ITU-T 
Recommendation H-323 for visual telephone sysLems and equipment for local area 
network:* which provide a non-guaranteed quality of service. Recommendation H.323 

5 is herein incorporated by reference in order to further describe the hardware 
retirements and operating protocols for such computer networks, and is hereinafter 
referred toas u H.323" 

H323 describes terminals, equipment and services for multimedia 
communication over Local Aiea Networks (LAN) which do not provide a guaranteed 

10 quality of sendee, Computer terminals and equipment which fulfill H 323 may carry 
real-time voice, data and video; or any combination including videotelephony. 

The LAN over which .such terminals communicate can be a single segment or 
ring, or optionally cm include multiple segments with complex topologies. These 
terainals .ire optionally integrated into computers or alternatively are implemented in 

15 stamd-aJon* devices such as videotelephones. Support for voice data is required, while 
support for general data and vioeo data are optional, but if supported^ the ability to use a 
specified common mode of operation is required, so thai all terminals supporting that 
particular media type can communicate. The H.323 Recoiumendaticn allows more than 
one channel of each type to be in use. Other Recommendations in the H323 -Series 

20 which are also incorporated by refeiencs include H.225,0 packet and synchronization, 
H.245 control, R.261 arid H.263 video codecs, G.71 1, G.722, G.728, G.729, and OJ23 
audio codecs, and the T,120-Series of multimedia communications protocols 

ITU-T Recommendation H.245.0 covers the definition of Media steam 
packetkation and synchronization for visual telephone systems. ITU-T 
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Recommendation H.245. Q defines the Coiitrol protocol for multimedia 
communications and is hereinafter referred to as "H.245". R245 is incorporated by 
reference as is fully set forth herein. 

Hie logical chajine] signaling procedures of H.245 describes the content of each 
5 logical channel when the channel is opened. Procedures are provided for the 
communication of the functional capabilities of receivers and transmitters, so Lhat 
transmiss.ons arc limited to information which can be decoded by the receivers, and so 
that receivers may request a particular desired mode from transmitters. 

H.245 signaling i$ established between two endpoints; an endpoint and a multi- 
10 point controller or an endpoint and a Gatekeeper. The endpoint establishes exactly one 
H.245 Cooliol Channel for each call that the endpoint is participating in. The channel 
must then operate according to H.245. Support for multiple calls and hence for multiple 
11,245 Control Channels is possible, 

The RAS signaling function uses H.225.0 T7^essages to perform registration. 
15 admissions, bandwidth changes, status, and disengage procedures between endpoints 
and Gatekeepers, in LAN environments that do not have a Gatekeeper, the RAS 
Signaling Channel is not used. In LAN environments which contain a Gatekeeper, such 
that the LAN includes at least one Zone, the RAS Signaling Channel is opened between 
the endpomi and the Gatekeeper, The RAS Signaling Channeji is opeued prior to the 
2D establishment of any other channels between H,323 endpoints. 

Tht? call signaling function uses H.225.0 call signaling to establish a connection 
between two H323 cndpoinis. The Call Signaling Channel is independent from the 
RAS Charge! and the H.245 ConfeoJ Channel The Call Signaling Channel is opened 
prior to the establishment of the H.245 Channel and any other logical channels between 
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H.323 endpoints. In systems that do not have a Gatekeeper, the Call Signaling Channel 
is opened between the wo endpoints involved in the call Tn systems which contain a 
Gatekeeper the Call Signaling Channel is opened between the end point and the 
Gatekeeper, or between the endpoints themselves as chosen "by the Gatekeeper. 
5 Corresponding to the various channels defined by R323 are corresponding 

protocol that collectively constitute the H.323 protocol suite. These protocols include 
the H.225 and H.245 protocols for session setup and the RTP and RTCP protocols for 
the actual data exchange 

io DESCRIPTION OF THE PRjg f RRRED EMBODIMENTS 

The present invention provides a system and a method for analyzing data 
packets on a computer neiwcwric for selectively recording audio and video data packets, 
for organ -zing this stored information and for displaying the stored information upon 
request such that communication sessions with computer network-based "telephone 7 * 

1 5 systems cm be logged . 

The principles and operation of a method and a system according to the present 
invention may be better understood with reference to die drawings and the 
accompatr^ng description. 

Referring now to the drawings. Figure 1 is a block diagram of an exemplary 

20 system for logging and displaying audio and/or visual data from communication 
sessions performed over a computer network. A computer logging system 10 features a 
user computer 12 connected to a communication session management unit 13. 
Communication session management unit 13 is in Turn connected to an intranet 14 
through d network interface card (NIC) 16. 
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User computer 12 includes a user interface IS, v/hich is preferably a GUI 
(graphical user interface), which Is displayed on a display unit 20, User interface 18 
preferably enables Lhe user to enter such information as the definition of the parties 
whose calls should to be monitored and/or logged, and which also preferably enables 
5 the user to enter at least one command for retrieving and displaying a communication 
session. 

Display unit 211 is preferably a computer monitor. The user is able to interact 
with user computer 12 by entering data and commands through a data entry device 22. 
Data entry device 22 preferably includes at least a keyboard or a pointing device such as 

10 3 mouse, and more preferably includes both a keyboard and a pointing device, 
according to one preferred embodiment of the present invention, user computer 12 is a 
PC (personal computer). Alternatively and preferably, user computer 12 is a *1hin 
client" such a net computer which is a computer able to communicate on an IP-based 
network. One example of such a net computer is the JavaStation TU ( Sun Microsystems). 

15 The advsi'-tage of such net computers is that they allow the user to interact with 
complex, sophisticated software programs, yet generally do not have all of the powerful 
computing capabilities of currently available PC computers. 

Intranet 14 could be a LAN or a WAN, for example. The connection between 
communication session management unit J3 and inua&et 14 occurs through NIC 16, 

20 NIC 16 is preferably any standard, off-the-siieif commercial product which enables 
communication session management unit 13 to he connected to any suitable computer 
network (for example, Etherlink ft ISA/PCMCIA Adapter or Ethetlink ffl PCI Bus- 
Master Adapter (3c590) of 3-Com™ ot NE2000 Adapter of Novell™ or any other such 
suitable product). Examples of such suitable computer networks include, but are not 
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limited La any standard LAN such ils Ethernet (IEEE Standard 8G2.3), Fast Ethernet 
(IEEE Standard 802 J 0), Token Ring (IEEE Standard 802.5) and FDDL 

All data packet traffic on intranet 14 Is passed to a filtering module 24 through 
NIC 16, As shown in mors detail in Figure 3 below, filtering module 24 screens the 

5 dab packets in order to detemune which data packets fulfill the Following criteria. 
Briefly, the data packets should be IF packets with headers according to the H.225 and 
H.245 standards, indicating voice and/or video traffic. As noted previously, these 
standards define media stream packet construction and synchronization Tor visual 
telephone systems and the control protocol for multimedia communications, 

i'j Filtering module 24 then preferably passes substantially only those data packets 

which meet these criteria to a management module 28. In the Zone Configuration of the 
system of the present invention, shown in Figure 7 below, filtering module 24 
preferably also transfers messages from other communication session management 
units. 

15 Management module 28 receives the data packets passed thro-ugh by filtering 

module 24, and analyzes the received data packets. Optionally and preferably, a 
database 26 stores such information as the IP addresses of parties whose 
communication sessions should be logged, as well as the conversion table associating 
each party with at least one IF address, fci example. The stored list of TP addresses 

20 representing those parties whose calls should be logged is preferably user-defined. As 
used herein, the tfrm ^arty" refers to a person or persons communicating through a 
computer network-based telephone system. The latter preferred requirement 
Fignificar.ily reduces the amount of data stored by including only data which is of 
interest to the user. Maiia.gemsn.t module 28 analyzes and manages data in accordance 
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with the applicable 11225 anil H.245 specifications, including the H.245 control 
function, FAS signaling function and call signaling function, substantially as described 
above in the ^Description of the Background Aft' 7 section 

Management module 28 analyzes the packets m order to determine the specific 
5 CGitimimieaticn session to which the data packets belong, The type of data compression 
being used (if any), and whether the data packets were sent from an IP address which 
should be monitored. Management module 28 must perform this analysis since 
filtering module 24 simply passes all data packets which fulfill the criteria described 
brief!} above (see Figures 3A-3D for more detail). Since these packets are passed 
10 without re.pxd to any of the information stored in database 26, management module 28 
must compare the rules of database 26 to the information present in tile packet header 
of each packet in Older to determine whether the received packet should be stored. 

Those received packets which fulfill the rules of database 26 are then stored in a 
storage medium 30, which is preferably a high capacity digital data storage device such 
15 as a hard disk magnetic storage device, an optical disk, a CD-ROM, a ZIP or DVD 
drive, or a DAT cassette, or a combination of such devices according to the operational 
needs of specific applications, or any other suitable storage media. Preferably, the 
specific cDmmumcation session or "telephone calF\ with which each data packet is 
associated, is also stored in order for that session to be reconducted and displayed at a 
20 later time. 

Upon request by the user, management module 28 can then retrieve one or more 
data packets from storage medium 30 which are associated with one or more 
communication sessions, The retrieved packet or packets are then transferred to a data 
lesioie module 32. Data restore module 32 is preferably capable of manipulating these 
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retrieved packets to restore a particular communication session by using the RTP (Real 
Time Protocol). As described in further deL&ii below with regard to Figures 4C and 5, 
in those systems which follow the RTP, the data packets are sent with a time stamp in 
the header rather than just a sequence number. Such a time stamp is necessary for 

5 audio and video stream, data, in order foe the data packets to he reassembled such that 
the overall timing of the stream of data is maintained. Without such a time stamp, the 
proper tiding would not be maintained, and foe audio or video streams could not be 
accurately reconstructed. 

The communication sessions are restored from the reconstructed streams of data 

io packets by using the applicable audio and/or video CODEC'S. A CODEC is a non- 
linear method for the conversion of analog and digital data. Thus, an audio CODEC 
enables ihe digitized audio data in relevant data packets to be converted to analog audio 
data for display to the user as audible sounds, for example. Suitable CODECS are 
described in greater detail below with regard to Figure 5. 

1 5 In order for the user to receive the display of the reconstructed communication 

session, sy stem 10 preferably features an audio unit 34 and a video unit 36, collectively 
referred to as a "communication session display unit". More preferably, both audio 
unit 34 and video unit 36 are capable of both receiving audio or video input, 
respectively, and of displaying audio or video output. At the very least, audio unit 34 

20 and video unit 36 should be able to display audio or video output, respectively. For 
example, audio unit 34 could optionally include an microphone for input and a speaker 
or an earphone for output Video unit 36 could optionally include a video monitor or 
display screen for output and a video camera for input, for example. 
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Figjre 2 is a schematic block diagram of system 10 of Figure 1, showing the 
overall system of software modules of system 10 in more detail. Reference is also 
made, while appropriate, to flow charts showing the operation of these software 
modules if. more detail (Figures 3A-3D and Figure 5), as well as to descriptions of the 
5 headers of the different types o F data packets (Figures 4A-4D). 

A.3 shown, system 10 again includes a connection to intranet 14 through NIC 16. 
As the packets are transmitted through intranet 14, NIC 16 intercepts these data packets 
juJ passes them to filtering module 24. 

Filtering module 24 has wo components. A first filtering component 38 
10 examines the header of the data packet, which should be m IP type packet with the 
correct hauler, as shown in Figure 4A below. Next, first filtering component 38 passes 
die data packet to a second filtering component 40, Second filtering component 40 then 
determines the type of IP data packet, which could be constructed according to the 
H.225. H.245 r RIP or RTCP standards. 
15 As shown with reference to Figure 3A, first filtering component 38 and second 

filtering component 40 operate as follows. In Step one, a packet is received b> filtering 
module 24. The packet is given to first Filtering component 38, which then determines 
-whether the packet is an IP type packet in step two. Such a determination is performed 
lo the structure of the header of the data packet, an example of which is shown in 
20 figure 4A. A header 42 is shown as a plurality of boxes, each of which represents a 
portion ox "field" of the header. The number of bytes occupied by each portion is also 
shown, it being understood that each layer consists of 32 bits. The first portion of Ihe 
header, a "VERS" portion 44, is the protocol version number. Next, an "H. LENT 
portion 46 indicates the number of 32-bit qualities in the header. A "SERVICE 
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TYPE ? ' portion 48 indicates whether the seacler prefers the datagram to travel over a 
route with minimal delay or a route with maximal throughput. A fik TOTAL LENGTH" 
portion fiO indicates the Urtal number of octets in both the header and the data, 

in the next layer, an "EDENTIFIC ATION" portion 52 identifies the packet itself 
5 A 'TLAGS" portion 54 indicates whether the datagram is a fragment or a complete 
datagram. A "FRAGMENT OFFSET" portion 56 specifies the location of this 
fragment in the original datagram, if the datagram is fragmented. In the next layer, a 
*HME TO LIVE" portion 58 contains a positive integer between i and 255, which is 
progressively decremented at each route traveled. When the value becomes 0. the 

io packet will no longer be passed and i$ returned to the sender. A "TYPE** portion 60 
indicates the type of data being passed. A "HEADER CHECKSUM" portion 62 
enables the integrity of the packet to be checked by comparing the actual checksum to 
the value lecorded in portion 62. 

Ths next layer of header 42 contains the source IP address 64, after which the 

is following layer contains the destination IP address 66. An optional IP OPTIONS 
portion 68 is present, after which there is padding (if necessary) and a data portion 70 of 
the packet iomainmg the data begins. 

The structure of the header of the data packet is examined by first filtering 
component 38 to determine whether this header has the necessary data fields in the 

20 correct order, such that the header of the data packet has a structure according to header 
42. First filtering component 38 only allows those packets with the correct header 
structure to pass, as shown in step 3A. Otherwise, the packets are dumped as shown in 
step 3B. 
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Those packets with the correct header, or il lP packets", are then passed to 
second filrering component 40. Second filtering component 40 then performs the 
remainder of the filtering steps. In step 3A, second filtering component 40 examines 
the TP packets to determine their type from the data portion of the packet as shown in 
> FiguTe 4A. The packets could be in one of four categories: R225. H.245. RTF and 
RTCP The seeps of the roeihod for H.225 packets are shown in Figure 3A, while the 
procedure* for ilie remaining packet types are shown in Figures 3B-3D, respectively. 

Ones the type of the packer has been determined, both the packet itself and the 
information regarding the type of packet are both passed to management module 28, as 
10 shown in Figure 2, Thi? packer is then passed to the relevant component within 
managed cnt module 28 ? also as shown in Figure 2, for the recording process to be 
performed. The recorded packets are stored in storage module 30, as described in 
greater dstail below with regard to Figures 3C and 3D. 

tf the packet has been detennifled to be an H.225 packet according to the header 
15 of the packet (see Figure 4B)> the packet is passed to an H.225 call control module 78 
within management module 28, as shown in Figure 2, The steps of the management 
method are as follows, with reference to Figure 3 A. In step 4A of Figure 3A* the H.225 
packet is examined to see if it is a setup packet, which is determined according to the 
structure of the data in the packet. This stmeaire is specified in the H.225 .0 
20 recomrr.cindation, and includes at least the following types of information: 
protocolldentifier (the version of FL225.0 which is supported); 
h245Address (specific transport address on which H.245 signaling is to be 
established by the calling endpoint or gatekeeper); 

sourceAddress (the FL323 JD's for the source); 
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SGdrcelaFo (contains an EndpointType io enable the party being called to 
determine whether the call includes a gateway or not); and 

dcitmationAddrcss (this is address to which the endpoim wants to be 
connected), 

5 Other types of data are also required, as specified in the H225.0 Recommendation. 
This data struct tire enables R225 call control module 78 to detenniae whether the 
packet is h $etup packet. 

ff vjiis packet is a setup packet then the first branch of the method is followed. 
The sourci parr is taken from a source port field 74 of an H.225 header 72, and the 

10 destination port is taken from a destination port field 76 (see Figure 4S). In step 5 A, 
database -26 of Figure 1 is then examined to detennine whether either of the 
corresponding terminals is defined as a recording terminal; that is, whether 
ccmnruni03i:on sessions initiated by the IP address of this terminal should be 
monitored. If true, then in step 6 A, the terminal status is set as a start session request 

15 from the terminal corresponding to the source port. 

Altimarively, the packet is examined to see if it is a connect packet in step 43, 
which is dttteraained according to the structure of the data in the packet This structure 
is specified in the H225.0 recommendation, and includes at least the following types of 
information: 

20 protoeoildenuflex (the version of K225 0 which is supported); 

h24.5 Address (specific transport address on which J-L245 signaling is to be 
established by the calling eodpomi or gatekeeper); 

dest nationlnfo (contains an EndpointType to enable the caller to determine 
whether the call includes a gateway or not); and 
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conferenccID (contains a unique Identifying number to identify the particular 

conference}* 

If the packet is a connect packet, then the second branch of the method is 
followed. Id step 5B, the flag indicating the terminal status is examined to determine if 
5 the terminal status is set as a start session request In step 6B ? the details of the call 
signal are saved in a call progress database 78 of storage medium 30 (see Figure 2). 
These deldls preferably include the source and destination I? addresses, the source and 
destination ports; the time at which the communication session was initiated, and any 
other relevant information. In step 7B r the status of the tenirinai is set to 6ft wait for the 
10 logic channel"* 

If ihe packet has been determined to be an H.245 packet by second filtering 
component 40, the packet is passed to an H.245 call control module 82 within 
management module 28, as shown in Figure 2. Such H.245 packets are necessary for 
H.245 signaling. H.245 signaling is established between two endpoints: anendpoint and 
* 5 a multi-poi nt controller, or an endpoint and a Gatekeeper (see Figures 6 and 7 below foi 
examples and a description of such endpoints}. Each endpoint is capable of calling and 
of being ceiled as part of a communication session. However, the system of the present 
invention only monitors, rather than initiating, such communication sessions. Thus, the 
system of ths present invention uses the H.245 signaling tc determine when the 
20 communication session ha*> started in order to effectively record the necessary data 
packets for the storage and later reconstruction of the session. 

The steps of the management method for H.245 packets are as follows, with 
reference to Tigure 3B. In step 1A of Figure 3B, the H.245 packet is examined to 
determine if it is an open logical channel request packet. If it is, than in siep 2A : the 
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terminal status is examined to determine if the status is "wait for the logical channels 
If so, then in step 3 A the terminal status is set to '"wait for acknowledgment^ 

Alternatively, the H.245 packet is examined to determine if it is an open logical 
channel acknowledgment packet, as shown in step IB, If it is, then in step 2B, the 

5 tenninaJ stouts is examined to determine if the status is "wait for acknowledgment". If 
so, then in step 3B the terminal status is set to "wait for tenninaJ capability". In step 
4B, the transport address of the "called" ox destination terminal is saved. This transport 
address is taken from the destination poxi field 76 of header 72 (see Figure 4B). It 
should be noted that H.225 and H.245 packets have identical header structure?, 

10 Also alternatively, the H.245 packet is examined to determine if ii is a terminal 

capability set packet, as shown in step 1C. If it is r then in step 2C, the terminal 
capability is saved in call progress database SO (see Figure 2). In step 3C, die terminal 
status is ?et to ,s in call process 1 ', such that the communication session has been 
determined rc be opened and such that management module 28 can now receive RTF 

b data packets. 

If ihe packet has been determined to be a RTF packet by second filtering 
component 40, ihe packet is passed to a RAS (registration* admissions and status) 
control module 84 within management module 28. as shown in Figure 2 The steps of 
the management method fox RTP packets arc as follows, with reference to Figure 3C. In 
io step l of Figure 3C ? the terminal status is examined to see if it is : ln call process" If so 
then in step 2, the RTP packets are saved in a RTP database $6 within storage medium 
30 (see Figure 2)- Figure 4C shows the structure of the RTF packet header, which can 
be used to identify the coronnunication session from which the packet was taken. 
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Finely, if the packet has been determined to be a RTCP packet by second 
filtering component 40, the packet is passed to a RTCP control module 88 within 
management module 28, as shown in Figure 2. The steps of the management method 
for RTCP packets are as follows, with reference to Figure 3D- In step 1 of Figure 3D 5 

5 the termind status is examined to see if it is kS in call process". If so then in step 2, the 
RTCP packets are saved in call progress database 80 within storage medium 30 (see 
Figure 2), Figure 4D shows the structure of the RTCP packet header, which can be used 
to identify the communication session from which the packet was taken. 

Thus, Figures 3A-3D illustrate the method of the present invention with regard 

10 to the filtering and storage of data packets which constitute the recorded 
communication session, as recorded by the system of the present invention as shown in 
Figures 1 md 2. Of course, in addition to recording such communication sessions, the 
system of the present invention is also able to retrieve and to replay these 
communication sessions to the user. The stored communication session, composed of 

is siored data packets, can be retrieved and displayed by data tesiox^ imit 32 of Figure 2, 
in conjunaioiji with audio unit 34 and video unit 36, The method of retrieving and 
replaying sessions of interest is shown in Figure 5, while certain other relevant portions 
of the system of the present indention are shown in Figure 2. 

in step 1 of Figure 5, the user inputs the information concerning the 

20 communication session which is to be retrieved and replayed. This information 
preferabh includes die terminal number* or oilier designation information concerning at 
least one of the parties of the communication session of interest; the time at which the 
session started; and the time at which the session ended. However, alternatively other 
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imbn nation could be Included in place of this information, as long as sufficient 
information is provided for the communication session of interest to be identified. 

In step 2 of Figure 5, call progress database SO (sec Figure 2) is searched by data 
restore wilt 32 in order to find the details of the communication sessionfs) in the 
5 specified i ime range. These details are then compared to the information entered by the 
user to loiate st least one coimnuoicaticm session of interest in the call range. 

In step 3. RTP database 86 of storage medium 30 (see Figure 2) is searched, 
again by cata restore unit 32, to find substantially all data packets from the at least one 
communication session in the specified call range* Optionally and preferably, in Step 4 S 
10 if the audio portion communication session was recorded in stereo, then the data 
packets are divided into different audio channels. 

In :step 5, die data packets are restored by data restore luiil 32 by an RTP (Real 
Time Protocol) software module 91 within data restore unit 32. RTP software module 
91 orders the data packets, within each channel according to the time stamp of each 
15 packet. As shown m Figure 4C, an RTP packet header 92 features several important 
fields: a tiincstarr.p field 94, a synchronization source (SSRC) identifiers field 96 and a 
contributing source fCSRC) identifiers field 98. SSRC field 96 is used to determine the 
source of the RTP packets (the sender), which has a unique identifying address (the 
SSRC identifier). The CSRC identifier in CSRC field 98 is used in a conference with 
20 multiple psriies, and indicates the SSRC identifier of all parties. Timestamp field 94 is 
u$ed by RTP software module 91 to determine the relative time at which the data in 
each packet should be displayed. 

For example, preferably ihe audio stream data of the audio speech of one person 
is synchronized to that person's lip movements as shown in the video stream, a process 



10' 09 00 12^46 ©872 3 5625554 



DR. JSI, FRIEDMAN 



8 036 



31 

known a$ lip synchronization 7 *. Such synchronization requires more than simply 
replaying a jdio and video data at certain relative time points, since the &udio snd video 
data packds may not arrive ai the same time, and may therefore have slightly different 
timesiamps , 

5 Qmz the data packet has been correctly synchronized, the control of the display 

of the audio data is then performed by an audio component 102 of data restore unit 32 
according to one <?r more audio CODEC'S (see Figure 2). The control of the display of 
the video data is then performed by a video component 100 of data restore unit 32 
aecordzng.to one ot more video CODEC'S (see Figure 2). 

10 Suitable CODEC'S include, "but are not limited to, zrn audio codec using CCITf 

Recomme ndation GJI1 (19881 Puke Code Modulation (PCM) of voice frequencies; 
an audio codec using CCUT Recommendation QJ22 (1968), 7 kHz audio-coding 
mtkin 64 khit/s; a» audio codec using ITU-T Recommendation G ?23J (1996), Speech 
coders: Dual rate speech coder for multimedia communications transmitting at 5.3 

l ? and 63 Kbp&: an audio codec using CCITT Recommendation G. 728 (1992), Coding of 
speech at 1 6 Kbps using low-detay code excited linear prediction; an audio codec using 
ITU-T Recommendation GJ29 0996), Coding of speech at 8 Kbps using conjugate 
structure algebraic code-excited linear-prediction (CS-ACELP); a video codec u$ing 
ITU-T Recommendation H.26i (1993a Video codec for audiovisual services at 

2D p x 64 koit/r, a video codec using ITU-T Recommendation M.263 (1996), Video coding 
for hjw bit rale communication; and substantially any other similar coding standard. 

as shown in Figure 2, the audio data is displayed by audio unit 34, which could 
include a loudspeaker, for example. The video data is displayed by video unit 36 ? 
which c^uld include a display monitor screen, for example. Step 5 of Figure 5 is then 
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preiciab ! ) repeated, such that substantially the entirety of the communication session is 
displayed. As shown m step 6, each data packet of the communication session is 
examined to sec if the call time is over, If the individual session has not completed, 
preferably step 5 is repeated. Alternatively and preferably, if the call lime is over, then 
5 call pro£;ress database SO is searched to set; if other communication sessions were 
recorded within the given time period, as shown in step 7. If there is at least one other 
such coramtuiication session, then preferably the method of Figure 5 is repeated, 
starting f'om step 2. 

According to prefened embodiments of the present invention, several 
iu configurations cf the computer logging system are possible, examples of which are 
shown in Figures 6 and ?. 

According to a first embodiment of the system of the present invention, shown 
in Figuie 6, a typical basic configuration system 104 inciude$ a single communication 
session management unit 13, substantially as shown in Figures 1 and 2, according to the 
15 present nventfcm, Conummication session management uait 13 manages 
communication in a stand-alone intranet such as a LAN 106. LAM 106 is connected 
both to communication session management unit 13 and to a plurality of terminals 108, 
designated as L T]", 'TT* and so forth, which follow the H.323 protocol. Each terminal 
108 is an endpeint on LAN 106 which provides for reai-time, two-way communications 
70 with another terminal 108, a gateway 110 ? or a multipoint control unit (MCU) 112. This 
communication consists of control, indications, audio streams, video streams, and/or 
-data. Terminal 10S is optionally only capable of providing such communication for 
audio only, audio and data, audio and video, or audio, data and video. As noted 
previously in the "Description of the Backgroiind Art" section, the H-323 entity could 
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be a terminal winch h capable of providing audio and/or video coironiinicatioa as a 
"LAN telephoned but could also be a stand-alone audio or video telephone. 

Gateway 110 (GW) is constructed according to f-1.323 and is an 
endpoint in LAN 106 which provides far real-time, two-way communications between 
5 terminals 108 on LAN 106 and other suitable terminals on a WAN (not show), or to 
another s ich Gateway (not shown). Other suitable terminals include those complying 
with Recommendations H.310 (H.320 on B-TSDN), H.320 (ISDN), R321 (ATM), 
H.322 (GQOS-LAN), H.324 (GSTN) ? H.324M (Mobile), and V.70 (DSVD). 

MCU 112 is an endpoint on LAIN 106 which enables three or more terminals 
10 108 and gateways 1 10 to participate in a nrultipoinL conference. 

Preferably, system 104 also features ft gatekeeper (GK) 114, which is an H.323 
entity on LAN 106 which provides address translation and controls access to LAN 106 
for terminals 108, gateways 110 and MCUs 112. Gatekeeper 114 may also provide 
other services to temoinals 108, gateways 110 and MCUs 112 such as bandwidth 
if management and locating gateways 110. Preferably, gatekeeper 114 enables the IP 
address of Terminals 108 on LAN 106 to be determined, such that the correct IP address 
can be determined "on the fly", 

lri addition, LAN 106 may support non audio visual devices for regular T.120 
data apple-aliens such as electronic whiteboards, still image transfer, file exchange, 
20 database access, etc. 

In basic system 104, a single, stand-alone communication session management 
unit 13 is used for monitoring, logging and retrieval of all audio and/or visual colls 
either between any two or more terminals 108 attached to LAN 106 or any call to 
which or..e or more of these terminals 108 is a party. 
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However- for the preferred embodiment of the system of Hgure 6 which 
include? gatekeeper 114 as well as for the system of Figure 7, once the commiirricatinn 
session has been opened, preferably RAS connol module 84 also perforins RAS 
signaling between the management control module and NIC 16 where necessary for the 

5 configuration of the system. Snch signaling uses H.225.G messages to perform 
registration, admissions, bandwidth changes, status, and disengage procedures between 
endpoints and gatekeepers. These messages are passed on a RAS Signaling Channel, 
which is independent from the. Call Signaling Channel and the 31.245 Control Channel 
H-245 open logical channel procedures are not used to establish the RAS Signaling 

1 1) Channel In LAN environments which contain a Gatekeeper (a Zone), the RAS 
Signaling Channel i$ opened between the endpoint and the Gatekeeper. The RAS 
Signaling Channel is opened prior to the establishment of any other channels between 
H.323 endpoints, 

figure 7 shows a second embodiment of the system of the present invention as a 
15 zone corJaguratfon system 116. A zone 1 18 is the collection of ali terminals (Tx) 11*8, 
gatev*i>s (QW) 110. and multipoint control units (MCUs) 112 managed by a single 
gatekeeper (GK) 114- Zone 118 includes at least une tatminal 108, hut docs not 
necessarily include one or more gateways 110 or MCUs 112, Zone 118 has only one 
gatekeeper 114 as shown. However, in the preferred embodiment shown, zone 118 is 
20 preferably independent of LAN topology and preferably includes multiple LAN 
segments 120 which are connected using routers (R) 122 as shown or other similar 
devices. 

Each, monitored LAN segment 120 has a local communication management unit 
124 according to the present invention, of which two are shown. A central management 
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unit 126 according to the present invention controls all local communication 
management units 124. In addition to centralized database and control services central 
management unit 126 can be used for the real-time monitoring and off-line restoration 
of audio and/or video communi cation sessions from a single point. Central management 
s unit 126 is opriondly and preferably either a dedicated unii similar in structure to local 
communication management units 124 bui without the storage capability, or central 
management unit 126 is aitematively and preferably integrated with tocai 
communication management units 124 to provide the functionality of both local 
communication management nnit 124 and cental manzgement unit 126 in a single 

10 station. Local communication management units 124 axe preferably either 
communication session management units 13 substantially as described in Figures I 
and 2. or alternatively and preferably are simpler units which lack the capability to 
retrieve and display a communication session locally. 

In slili another preferred embodiment of the present invention (not shown), 

i> amla-user operation based on Client/Server architecture is preferably supported for 
basic system 104 and zone system 116. An unlimited number of "Client" stations may 
be connected anywhere on the LAN, providing users with management and 
monitoring/retrieval capabilities determined by the authorization level of each specitic 
user. 

20 Yet another preferred embodiment of the present invention, illustrated in Figure 

8, addresses the challenges of an Internet Protocol (IP) distributed switching 
environment. 

Recording systems experience the following challenges when interfaced with an 
IP environment: 
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Because thtae is no central switching matrix, voice streams between any 
extension A and B can be routed via the WAN without providing 
a means lo capture the calls at the site where the recording 
systems arc located. 

Because the IP network consists of switch boxes, routers and bridges, 
the network topology can have a negative influence on the 
recording. 

Few multimedia IP protocol suites include encryption. In particular, the 
T-L323 protocol suite lacks encryption- in order for the recording 
system to dt-encrypt the signal, the recording system needs to act 
as a 'legal" parly with the recorded call_ The only way to 
become a "legal" party with the recorded call is to turn the call 
into a conference call m which the recording system is one 
member of the conference. 
Multimedia IP protocols define several types of audio and video 
CODECS (G-711, 0-722, G.72S, G/723, G.729 7 11.261 and 
11,263). Thus, during recording playback operation the recording 
system should have the capability of changing from one 
CODECS to another per the endpoint capability, if the \oicc or 
the video was recorded and stored using a different CODECS. 
System 104 of Figure 6 is intended for use in a standard H 323 environment, 
Terminal* 108 conduct telephone conversations among themselves, or alternatively 
with POTS telephones via gateway 110. In order ro make these calls, terminals 108 
communicate with gatekeeper 114 in order to find the destination terminal or gateway 
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on LAN ubiiig die RAS protocol tc perform call setup under the HL22S protocol and to 
negotiate the RTP stream characteristics under the H.245 protocol. Note thai these 
protocols all belong to the H.323 protocol suite. The communication with gatekeeper 
114, under the RAS, K225 and H.245 protocols, is the signaling part of the call and is 

5 used to establish die RTP or RTCP streams of the call which are used to cany the actual 
voice or video data. MCU 112 provides the ability to perforin conferencing among 
three or more parties. All of the above communications are performed over LAN 106, 

Communication session management unit 13 is connected on LAN 106 in such 
a way that communication session management unit 13 is able to sniff all the packets of 

\ o a conversation, both signaling packets and RTF or RTCP packets. Prior art connection 
methods include: 

1 , using a hub, in which case all packets are passed to all ports in 
the hub; and 

2. monitoring strategic ports of a switched hub by other ports on the 
15 switched hub, 

Likelv ^strategic ports under the second alternative arc the ports of ihe switched hub to 
which one or more gateways 110 are connected, in which case alt outgoing calls can be 
recorded, in this example, gateway 1 10 is connected to the monitored port of the 
switching hub and conunuiucation session management unit 13 is connected to the 
20 monitoring port of the switching hub- 

Commtmtcation session management unii 13 sniffs the RTP and RTCP packets 
of the conversation and extracts the voice or video dam from these packets, in order to 
associate these data with a telephone extension number, or with the name of the person 
at the extension, the H323 signaling must be analyzed. This solution does not work in 
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Voice Over IP systems In which the signaling protocols are not within the B32j 
protocol suite_ Sack signaling protocols include SIP, MGCP and Cisco's proprietary 
Skinny protocol 

A third embodiment 150 of *h« system of the present invention, that does not 
5 depend on the signaling protocol, is illustrated in Figure S. In system ISO, the voice or 
video data are recorded, as in system 104 of Figure 6, by having communication session 
management wir IS sniff the RTP aid ETC? packets. The innovation of system 150 is 
the addition of a link 160 between, communication session management unit 13 arid 
gatekeeper 114, Specifically, link 160 connects management module 28 of 
10 communication session management unit 13 to gatekeeper 114. Link 160 provides CT1 
(computer telephone integration) data or CDR (call data records) data to 
communication session management unit 13. These data replace the data which hre 
retrieved by analyzing the TL323 protocols in system 104 of Figure 6. These data 
include caller's IP address, and other identifying information, such as extension 
! ^ number, caller's name, or any other information that arrives via link 160. Optionally, 
the caller's IP address may be inferred from the other identifying information. These 
data are used by communication session management unit 13 to associate calls with 
extension numbers, criers 1 names or any other information that arrives via link 160, 
Link 160 is a logical link that may be implemented in several ways, including: 
20 1. On the same LAN that is used for Voice Over IP calls, In this 

manner, no additional hardware is needed on communication 
session management unit 13. 
2. On a separate LAN from the LAN that is used for Voice Over IP 
calls. Under this alternative, communication session 
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management unit 13 includes an additional network adapter, 
similar to NIC 16. ihat is used specifically for link 160 
3, On a serial connection using one of the serial ports of 
communication session management unit 13, 
5 Because link 160 is a logical link, Figure 8 serves to illustrate all three of these 
implementations 

System 150 of Figure 8 has the following a J vantages: 

1 There is no dependence en the type of signaling used in. the Voice Over 
IF system, bystem 150 works with all signaling types. 
10 2. Link 160 may transfer more information than can be retrieved from the 

H.323 signaling protocols. This information may include, for example, application- 
specific information such as insurance policy number in the case of system 150 being a 
component of an insurance company's call center. 

5 Because fewer messages arrive at communication session management 
15 unit 13, system 150 reduces die burden on the CPU of communication session 
management unit 13, resulting in an Increase in die number of channels that can be 
recorded simultaneously- 

System 150 of Figure & may be reduced to practice using the following 
commercially available components: 
20 Gatekeeper 114: Call Manager 3.0™ by Cisco System* Inc., San Jose CA 

Link 160: A JTAPF M connection of the Call Manager 3.0™ 

Terminals 108: VIP 30 rM or SP both by Cisco Systems, Inc., San Jose 

CA 
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Gateway ilfl: Catalyst 364ft™, by Cisco Systems, Inc., San Jose CA 
MCU 112: Cunfeienue Plug-la on the Call Manger 3,0™ 
Communication session management unit 13: Niceiog™ by Nice Systems T,td. 3 
Ra'anana, Israel 

LAN 106: Switch Hub Catalyst 2924™. by Cisco Systems, Inc., San Jose CA 
It wiU be appreciated that the above descriptions are Intended enly to serve es 

examples, and that many other embodiments arc possible within the spirit and the scope 

cf the present invention. 
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WHAT IS CLAIMED IS: 

1 A system for managing a communication session over a computer 
network that includes a gatekeeper, the system comprising: 

(a) b network connector for connecting to the computer network and for 
receiving data packets from the computer network: 

(b) a filtering unit for filtering said data packets and for accepting said data 
packets substantially only if said data packets contain data selected from 
the group consisting of audio data and video data, such that said data 
packets form at least a portion of the communication session and such 
that said data packets are selected data packets; 

(c) a management unr for receiving ;>ald selected data packets and for 
storing said selected data packets, such that said selected data packets 
are stored data packets; 

(d) a storage medium for receiving and rbr storing said stored data packets 
from said management unit, such that said at least a portion of the 
communication session is stored; and 

(e) sl link,, between the gatekeeper and said management unit, for 
transferring information related to said data packets from the gatekeeper 
to said management unit. 

2. The system of claim 1, further comprising: 

(f) a data restore unit for retrieving and displaying said at least a portion of 
the communication session, said data restore unit requesting said data 
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packets from said storage medium through said management unit, and 
said data restore unit reconstructing said data packets for displaying said 
at kast a portion oi the communication se&sion- 

3. Tne system of claim 2, wherein said data restore unit further comprises a 
communication session display unit for displaying said a; least a portion of the 
communication session, 

4. The system of claim 3 S wherein said communication session display unit 
is selected from the group consisting of a video unit and an audio unit, 

5, The system of claim 2. further comprising; 

(g) a database connected co said filtering unit for storing filtering 
information, said filtering information including at least one IP address 
of a party whose communication sessions are monitored; 

wherein said filtering unit accepts said data packets according to said filtering 
information, such that said filtering unit substantially only accepts said data packets if 
said data packets fulfill said filtering information. 

6, The system of claim 5 5 further comprising: 

(h) a user computer for receiving at least one command of a user and for 
displaying uifunnLi&un Lo said user, such that said user determines said 
filtering information according to said at least one command of said 
user. 
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7. The system of claim 6, wherein the computer network is selected from 
the group consisting of a LAN (local area network) and a WAN (wide area network). 

8. The system of claim 7, wherein the compuicr network is a LAN (local 
area network). 

9. The system of claim 8, wherein said LAN Is divided into at least two 
segments the system further comprising: 

(1) a local management unit for each segment, said local management unit 
including said filtering unit and said management unit; and 

(j) a central management unit for controlling said local management units, 
said oenrral management unit controlling storage in said storage 
medium. 

10. The system of claim L wherein said network connector is a network 
interface card. 

1L A method for conducting a communication session on a computer 
network between a packet source and a packet destination, comprising the steps of. 

(a) setting up the cormnnnication session according to a first protocol suite; 
and 

{b) storing at least a portion of the communication session according to a 
second protocol suite different from said first protocol suite, said storing 
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being performed by a data processor. 



IX The method of claim 11, wherein said second protocol ^uite is an IP 
protocol suite. 

13. The method of claim 11, wherein said storing is effected by steps 
including. 

(J) receiving a data packet from the packet source on the computer network; 
(it) analyzing said data packet to determine if said data packet is in 

accordance with said second protocol suite; and 
(iii) storing said data packet to form a stored data packet, such Lhat said 

stored dam packet forms at least a portion of the communication session. 

14. The method of claim 13 9 wherein the step of analyzing said data packet 
is performed by examining a header of said data packet 

15. The method of claim 13. wherein the step of storing said at least a 
portion of the communication session further comprises the step of: 

Civ) subsequent to said analyzing, if said data packet is in accordance with 
said second protocol suite, filtering said data packet to determine a type 
of said data packet 



1 6. The method of claim 15, wherein the step of analyzing said data packet 
is performed by examining a header of said data packet. 
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1 7. The method of claim 16, wherein the step of filtering said data packet is 
performed by examining said header of said data packet. 

IS. The method of claim 17, wherein said second protocol suite is an IP 
protocol suite, wherein said data packet in accordance with said second protocol suite is 
an I? pac<et. and wheiein the step of filtering said IP packet further comprises the steps 

of: 

(A) examining said header of said IP packet to determine an IP address of 
said packet source, 

(B) detennining if said IP address is a recorded IP address; 

(C) passing said IP packet to form a passed IP packet substantially only if 
said IP address is said recorded IP address; and 

(D) alternatively, dumping said IP packet, 

19. The method of claim 18 f wherein the step of detennining if said IP 
address is said recorded IP address is performed by comparing said IP address to a list 
of IP addresses from packet sources, such that if said IP address is included in said list, 
said IP address is said recorded IP address, 

20, The method of claim 18, wherein if said passed IP packet is an RTP 
packet, sloring said RTP packet. 
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21, The method of claim IS, wherein if said passed IP packet is an RTCV 
packet, storing said RTCF packet. 

22 The method of claim 15, therein said staring of said dam packet is 
effected according to said type of said data packet 

23 . The method of claim 1 3 , wherein the step of storing at least a portion of 
the cummimication session further comprises the steps of: 

viv) retrieving said stored data packet to form a retrieved data packet; and 
(v) reconstructing at least a portion of the comxnunicaTTOTi session according 
to said retrieved data packet 

24. The method of claim 23. wherein said second protocol suite n an I? 
protocol suite, and wherein the step of retrieving ^aid data packet includes the steps of: 

(A) receiving a source IP address of the packet source, a start time of the 
cosmmiffli cation session, arid an end Time of the communication session; 
and 

(Bj selecting at least one communication session according to ^id source ft-' 
address, said start time and said end time. 

25. The method of claim 23, wherein said second protocol suite is an IP 
protocol suite, and wherein the step of retrieving said data packet includes tbe steps of: 

(A) receiving identifying Mormation related to the communication session, 
a start time of the communication session and an end time of the 
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cummiujicaUon session; 
(13) inferring a source I? address from said identifying information; and 
(C) selecting at least one communication session according to said source IP 

address, said start nmc and said end time. 

26. The method of claim 23, wherein the step of reconstructing at least a 
portion of the communication session includes displaying audio data. 

27. The method of claim 23, wherein the st??p uf reconstructing at teast a 
portion of the communication session includes displaying video data. 

2S- The method of claim 23. wherein said second protocol suite is in IP 
protocol suite, and wherein the step of reconstructing at least a portion of the 
communication session further comprises the steps of! 

(A) retrieving substantially only RTP packets; 

(B) examining a header of said RTP packets to determine a time stamp for 
each of said RTP packets; and 

(C) displaying said RTP packets in an order according to said time stamp. 
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ABSTRACT OF THE DISCLOSURE 

A system and a method for monitoring a computer network to detect data 
packets including audio or video data, such packets being part of a communication 
session, for storing these packets and for reconstructing the communication session 
upon request. To enable the system to store packets independently of the protocol used 
to set up the communication session, for example in a Voice Over IP environment* the 
system includes a link to the gatekeeper of the computer network. 
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